US10826889B2 - Techniques for onboarding devices based on multifactor authentication - Google Patents

Techniques for onboarding devices based on multifactor authentication Download PDF

Info

Publication number
US10826889B2
US10826889B2 US15/794,259 US201715794259A US10826889B2 US 10826889 B2 US10826889 B2 US 10826889B2 US 201715794259 A US201715794259 A US 201715794259A US 10826889 B2 US10826889 B2 US 10826889B2
Authority
US
United States
Prior art keywords
applicant
trust
trust value
applicant device
trusted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/794,259
Other versions
US20190132308A1 (en
Inventor
Mickael James GRAHAM
Santosh Ramrao Patil
Shyam Sundar Vaidyanathan
Chiragkumar Desai
Swaminathan Anantha
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to US15/794,259 priority Critical patent/US10826889B2/en
Assigned to CISCO TECHNOLOGY, INC. reassignment CISCO TECHNOLOGY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ANANTHA, SWAMINATHAN, DESAI, CHIRAGKUMAR, Graham, Mickael James, PATIL, SANTOSH RAMRAO
Publication of US20190132308A1 publication Critical patent/US20190132308A1/en
Application granted granted Critical
Publication of US10826889B2 publication Critical patent/US10826889B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Definitions

  • This disclosure relates generally to communications systems, more particularly, to multifactor authentication for securing communication channels.
  • Authentication remains a persistent technical problem in our modern information age, driven, in part, by an ever-increasing reliance on network accessible hardware, cloud-based services, as well as a proliferation of untrusted applications and untrusted networks.
  • authentication is part of an overall security process to determine trustworthiness of an applicant device (or application, service, user, etc.) prior to establishing a secure communication channel.
  • authentication techniques are described in terms of the number of factors used to identify/verify the applicant device. For example, a typical username/password process includes a two-factor authentication in that a user provides two pieces of information for authentication.
  • authentication processes that involve more factors are often more secure (e.g., multifactor authentication processes), however, employing additional factors often involves additional complexity, cost, and time.
  • FIG. 1 illustrates an example communication environment
  • FIG. 2 illustrates an example device for performing the onboarding techniques disclosed herein
  • FIG. 3 illustrates another communication environment, showing various applicant devices and an onboarding server
  • FIG. 4 illustrates the communication environment of FIG. 3 , showing the onboarding server operatively determining a location trust value and a configuration trust value for one of the client devices;
  • FIG. 5 illustrates the communication environment of FIG. 3 , showing the onboarding server operatively determining an environment trust value for one of the client devices;
  • FIG. 6 illustrates the communication environment of FIG. 3 , showing the onboarding server operatively determining an environment trust value for one of the client devices;
  • FIG. 7 illustrates the communication environment of FIG. 3 , showing the onboarding server operatively determining an overall trust score for one of the client devices;
  • FIG. 8A illustrates a signaling diagram for onboarding an applicant device, showing signal flows for an applicant device that has a secure unique device identifier
  • FIG. 8B illustrates a signaling diagram for onboarding an applicant device, showing signal flows for an applicant device that does not have the secure unique device identifier nor an associated customer account;
  • FIG. 8C illustrates a signaling diagram for onboarding an applicant device, showing signal flows for an applicant device using an onboard dashboard
  • FIG. 8D illustrates a signaling diagram for onboarding an applicant device, showing signal flows for an applicant device using a mobile application
  • FIG. 9 illustrates a schematic diagram of an example onboard dashboard display, showing applicant devices and associated trust scores.
  • FIG. 10 illustrates an exemplary simplified procedure for onboarding an applicant devices, particularly from the perspective of the onboarding server shown in FIG. 3 .
  • an onboarding server performs a multifactor trust/authentication process to onboard an applicant device—e.g., to secure a communication channel between the applicant device and one or more other network devices (e.g., cloud based resources, etc.).
  • the server receives a certificate signing request (CSR) and onboarding information for an applicant device, where the onboarding information includes at least an applicant device identifier and an applicant Internet Protocol (IP) address.
  • CSR certificate signing request
  • IP Internet Protocol
  • the server also identifies a customer associated with the applicant device based on the applicant device identifier and a database of device identifiers (e.g., a lookup database) for registered devices associated with one or more customers.
  • the server further determines at least one of the registered devices is associated with the customer is a trusted device, and determines a location trust value, an environment trust value, and a trust score based on the location trust value/environment trust value. For example, the server determines the location trust value based on a geolocation proximity between the applicant IP address and a trusted IP address for the trusted device, and determines the environment trust value based on a proximity in a network topology between the applicant device and the trusted device.
  • the server sends a signed certificate, corresponding to the CSR, to the applicant device when the trust score for the applicant device exceeds a threshold.
  • network based computing or “cloud” computing generally refers to a collection of computing resources, such as hardware, software, applications, services, etc., allocated to and accessible by customers over one or more communication networks (e.g., the Internet).
  • customer devices communicate within and across networks to register, lease, coordinate, or otherwise secure network based computing resources based on customer needs.
  • a communication network is a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end nodes, such as personal computers and workstations, or other devices, such as sensors, etc.
  • end nodes such as personal computers and workstations, or other devices, such as sensors, etc.
  • Many types of networks are available, ranging from local area networks (LANs) to wide area networks (WANs).
  • LANs typically connect these nodes over dedicated private communications links located in the same general physical location, such as a building or campus.
  • WANs typically connect geographically dispersed nodes over long-distance communications links, such as common carrier telephone lines, optical lightpaths, synchronous optical networks (SONET), synchronous digital hierarchy (SDH) links, etc.
  • SONET synchronous optical networks
  • SDH synchronous digital hierarchy
  • FIG. 1 illustrates an example communication network environment 100 illustratively comprising a network 105 , such as an enterprise network or data center network, as well as a network 110 , such as a public network like the Internet. It is appreciated that various other types of networks and/or sub-divisions within these networks are often present; however, communication network environment 100 is illustrated and described herein for purposes of discussion and simplicity.
  • a network 105 such as an enterprise network or data center network
  • a network 110 such as a public network like the Internet. It is appreciated that various other types of networks and/or sub-divisions within these networks are often present; however, communication network environment 100 is illustrated and described herein for purposes of discussion and simplicity.
  • network 105 include nodes/devices 106 (e.g., routers, switches, servers, and the like) interconnected by communication links 108 .
  • Communication links 108 may be wired links or shared media (e.g., wireless links, etc.) where certain devices may be in communication with other nodes/devices based on, for example, distance, signal strength, network/node topology, current operational status, location, etc.
  • Data packets 140 may be exchanged among the nodes/devices 106 in communication network environment 100 using predefined network communication protocols such as certain known wired protocols (e.g., Interior Gateway Protocol (IGP), Exterior Border Gateway Protocol (E-BGP), TCP/IP, etc.), wireless protocols (e.g., IEEE Std. 802.15.4, WiFi, Bluetooth®, etc.), PLC protocols, or other shared-media protocols where appropriate.
  • a protocol consists of a set of rules defining how the nodes interact with each other.
  • nodes/devices 106 in network 105 include “edge” devices interconnected with an onboarding server 200 .
  • Onboarding server 200 operatively facilitates communications between one or more client devices 120 in network 110 and network resources (e.g., devices 106 ) in network 105 , as discussed in greater detail below.
  • FIG. 2 is a schematic block diagram of an example device 200 (e.g., an onboarding server, etc.) that may be used with one or more embodiments described herein.
  • Device 200 may comprise one or more network interfaces 210 (e.g., wired, wireless, PLC, etc.), at least one processor 220 , and a memory 240 interconnected by a system bus 250 .
  • network interfaces 210 e.g., wired, wireless, PLC, etc.
  • processor 220 e.g., a processor 220
  • memory 240 interconnected by a system bus 250 .
  • Device 200 may comprise one or more network interfaces 210 , at least one processor 220 , and a memory 240 interconnected by a system bus 250 .
  • Network interface(s) 210 contain the mechanical, electrical, and signaling circuitry for communicating data over links coupled to one or more of the networks shown in communication environment 100 .
  • Network interfaces 210 may be configured to transmit and/or receive data using a variety of different communication protocols, as will be understood by those skilled in the art.
  • Memory 240 comprises a plurality of storage locations that are addressable by processor 220 for storing software programs and data structures associated with the embodiments described herein.
  • Processor 220 may comprise necessary elements or logic adapted to execute the software programs and manipulate data structures 245 .
  • An operating system 242 portions of which are typically resident in memory 240 and executed by processor 220 , functionally organizes the device by, inter alia, invoking operations in support of software processes and/or services executing on the device.
  • These software processes and/or services may comprise an illustrative “onboarding” process/service 244 , as described herein. Note that while process/service 244 is shown in centralized memory 240 , some embodiments provide for these processes/services to be operated in a distributed computing network.
  • processor and memory types including various computer-readable media, may be used to store and execute program instructions pertaining to the techniques described herein.
  • the techniques described herein may be performed by hardware, software, and/or firmware, such as in accordance with the illustrative onboarding process 244 , which may contain computer executable instructions executed by the processor 220 to perform functions relating to the techniques described herein.
  • this disclosure describes various processes, it is expressly contemplated such processes may be embodied as modules configured to operate in accordance with the techniques herein (e.g., according to the functionality of a similar process). Further, while the processes have been shown separately, those skilled in the art will appreciate that processes may be routines or modules within other processes.
  • processor 220 can include one or more programmable processors, e.g., microprocessors or microcontrollers, or fixed-logic processors.
  • any associated memory e.g., memory 240
  • Processor 220 can also include a fixed-logic processing device, such as an application specific integrated circuit (ASIC) or a digital signal processor that is configured with firmware comprised of instructions or logic that can cause the processor to perform the functions described herein.
  • ASIC application specific integrated circuit
  • program modules may be encoded in one or more tangible computer readable storage media for execution, such as with fixed logic or programmable logic, e.g., software/computer instructions executed by a processor, and any processor may be a programmable processor, programmable digital logic, e.g., field programmable gate array, or an ASIC that comprises fixed digital logic, or a combination thereof.
  • any process logic may be embodied in a processor or computer readable medium that is encoded with instructions for execution by the processor that, when executed by the processor, are operable to cause the processor to perform the functions described herein.
  • authentication remains a persistent technical problem in our modern information age.
  • challenges arise when balancing cost, complexity, convenience, scalability, and overall security.
  • each additional factor may also increase an overall system complexity, which, in turn, may limit system scalability.
  • hardware based solutions for registering and authenticating devices (e.g., chip level identity packages, secure unique device identifiers certificate and certificate chains, etc.)
  • current deployments of client devices may include legacy and/or non-compatible devices that do not support such hardware based solutions.
  • the techniques disclosed herein provide security mechanisms to onboard a variety of devices using multifactor authentication, which includes determining trust scores and generating signed certificates.
  • the techniques herein support onsite applications (e.g., mobile devices) for registering applicant devices as well as dashboard driven trust scores that support initial (e.g., first-time) registrations based on device characteristics, deployment environment (e.g., network topology) information, and the like.
  • initial registration the techniques also provide certificate signing request (CSR) processes, initiated by registered devices, for ongoing and seamless communications.
  • CSR certificate signing request
  • FIG. 3 illustrates another example communication environment 300 for performing onboarding processes according to one or more embodiments of this disclosure.
  • Communication environment 300 includes network 105 (e.g., a data center network), network 110 (e.g., local or client side network), and an onboarding server 305 .
  • Onboarding server 305 can represent device 200 (and/or component features thereof).
  • Communication environment also illustrates various client devices, including client devices 321 , 322 , 323 , and 324 .
  • Onboarding server 305 may include a Plug-n-Play (PnP) server operable to collect multiple data points about client devices 321 - 324 in their respective environment and translate such data points into an overall trust score.
  • PnP Plug-n-Play
  • This trust score provides a confidence measure based on various factors which will be used by, for example, a network administrator (e.g., using a central onboarding dashboard, a mobile application, etc.) or an automatic process to make a decision whether or not to trust certain devices (e.g., when the overall trust score exceeds a threshold value).
  • the client devices 321 - 324 can include switches, routers, servers, and the like.
  • client device 322 represents a new or applicant device that attempts to initially establish a secure communication channel for communicating with or otherwise accessing network resources in network 105 (e.g., data center resources).
  • Onboarding server 305 evaluates information corresponding to client device 322 as well as information regarding the environment around or about client device 322 . For example, onboarding server 305 collects an applicant device ID, an IP address/geolocation based on the IP address, and device configuration information corresponding to client device 322 . In addition, onboarding server 305 also collects environment information in which client device 322 operates. This environment information includes, for example, neighbor device information corresponding to client devices 321 , 323 and 324 , including neighbor device IDs, IP addresses/geo-locations, and respective device configurations.
  • FIG. 4 illustrates a schematic diagram 400 , showing a process to determine a location trust value 405 and a configuration trust value 410 for client device 322 .
  • onboarding server 305 receives the applicant device ID (e.g., a serial number, a media access control (MAC) address, other device specific identifiers, etc.) and, based on the device ID, determines a customer profile 415 as well as an expected device configuration—e.g., here, a profile 420 , which includes expected configuration parameters associated with client device 322 .
  • the applicant device ID e.g., a serial number, a media access control (MAC) address, other device specific identifiers, etc.
  • MAC media access control
  • client device ID e.g., a profile 420
  • onboarding server 305 may access a database of customer accounts with individual customer profiles, where each customer profile includes a list of registered/trusted devices and registered/trusted device information.
  • the customer profile 415 includes registered/trusted device information for
  • Onboarding server 305 further determines the geolocations and/or IP ranges for registered/trusted devices associated with customer profile 415 and compares these geolocations/IP ranges to an IP address/geolocation for client device 322 .
  • onboarding server 305 determines location trust value 405 based on a nearness or proximity (e.g., geolocation proximity) between client device 322 and registered/trusted client devices 323 and 324 . As shown, the IP address for client device 322 is within the IP address ranges for client devices 323 and 324 , which corresponds to an increased level or trust, or an increased location trust value 405 .
  • an IP address (or geolocation) for client device 322 outside the IP address ranges indicates a decreased level of trust or a decreased location trust value 405 (or may even result in a null or 0 value).
  • onboarding server 305 compares actual location information for client device 322 to other known locations of trusted/registered neighboring devices for the same customer, thereby helping to ensure client device 322 is physically present at or near an expected location (and not a rogue device attempting to hack into network 105 ).
  • onboarding server 305 determines expected configuration parameters (e.g., hardware components/software components/etc.) for client device 322 based on the applicant device ID. For example, onboarding server 305 can access a database of configuration parameters associated with device identifiers (e.g., manufacturing serial numbers, etc.), where each device identifier is matched to configuration parameters such as device type, manufacturer, a number of processors, types of memory, storage capacity, add-on modules, software configurations/modules, operating systems/versions, base licensing information, port capacity, and the like. Onboarding server 305 compares the expected configuration parameters with the actual configuration parameters received from client device 322 to determine configuration trust value 410 . In operation, matching configuration parameters correspond to an increased level of trust, or an increased configuration trust value 410 , while non-matching configuration parameters correspond to a decreased level of trust, or a decreased configuration trust value 410 .
  • expected configuration parameters e.g., hardware components/software components/etc.
  • onboarding server 305 can access a database of configuration parameters associated
  • FIG. 5 illustrates a schematic diagram 500 , showing a process to determine an environment trust value 505 for client device 322 .
  • onboarding server 305 uses a network discovery protocol (e.g., neighbor discovery, Cisco discovery, inverse neighbor discovery, secure neighbor discovery, and so on) to determine devices neighboring with or connected to client device 322 . In this fashion, onboarding server 305 can determine a network topology for devices proximate to client device 322 .
  • onboarding server 305 may determine neighbor device information (e.g., serial numbers, types of devices, etc.) and verify such information with customer profiles and trusted/registered devices (e.g., for a deployment site, etc.), as discussed above.
  • onboarding server 305 increases environment trust value 505 for neighboring devices cross-verified with trusted/registered devices for a customer site and decreases environment trust value 505 for non-matching devices.
  • FIG. 6 illustrates a schematic diagram 600 , showing a process to determine an activation trust value 605 for client device 322 .
  • onboarding server 305 receives time stamp 602 , which represents the time information when client device 322 sends an initial request (e.g., a certificate signing request (CSR), etc.) to onboarding server 305 .
  • Onboarding server 305 also determines a system “up-time” for client device 322 , which represents time information corresponding to when the client device was booted up.
  • client device 322 may provide the system up-time to onboarding server 305 in response to a request, or by other request/response mechanisms.
  • Onboarding server 305 determines a time difference between the system up-time and time stamp 602 and compares such time difference to an activation window 610 (e.g., an authorized activation time-period).
  • Activation window 610 represents a threshold window of time between client device 322 booting up and sending the initial request.
  • Onboarding server 305 increases activation trust value 605 when the time difference is within activation window 610 , and decreases activation trust value 605 when the time difference is outside of activation window 610 .
  • activation window 610 may represent an absolute time or time-period, within which client device 322 must send its initial request to onboarding server 305 .
  • time-period may be based on a customer schedule and/or it may be coordinated with the manufacturer (or 3 rd party seller).
  • activation window 610 can represent the time-period within which a customer is expected to activate or setup client device 322 .
  • onboarding server 305 receives the initial onboard request, determines the initial request time (e.g., based on time stamp 602 ), and compares the initial request time to activation window 610 .
  • onboarding server 305 increases activation trust value 605 when the time stamp associated with the initial request falls within activation window 610 and decreases activation trust value 605 when the time stamp associated with the initial request falls outside activation window 510 .
  • FIG. 7 illustrates a schematic diagram 700 , showing a process to combine multiple trust values into a comprehensive trust score 705 .
  • onboarding server 305 determines the various trust values, including location trust value 405 , configuration trust value 410 , environment trust value 505 , and activation trust value 605 .
  • Onboarding server 305 further compiles or aggregates these trust values into a single trust score 705 , which is represented by a number “60”, e.g., on a scale of 0-100, where 0 is untrustworthy and 100 is trustworthy.
  • onboarding server 305 determines trust score 705 as a numerical value on a particular scale, it is appreciated, any value, metric, or scale may be used to represent trustworthiness or untrustworthiness for trust score 705 (e.g., numbers, percentages, colors, charts, diagrams, etc.). In addition, it is also appreciated that individual trust scores may (or may not) be dispositive ultimate determinations to trust (or not trust) an applicant device. Moreover, some trust values may be emphasized over others by employing weights, ranks, priorities, and the like, as is appreciated by those skilled in the art. In this fashion, trust score 705 provides a confidence measure based on various factors which can be used in an automatic onboarding process (e.g., based on some predetermined criteria) or evaluated by a network administrator using a central onboarding dashboard (or mobile application).
  • onboarding server 305 operates to evaluate information corresponding to client device 322 (as well as other information regarding the environment around/about client device 322 ), determine trust values (e.g., location trust value 405 , configuration trust value 410 , environment trust value 505 , activation trust value 605 , etc.), and generate a trust score (e.g., trust score 705 ) based on the same.
  • a network administrator evaluates the trust score to determine if client device 322 is trustworthy while in other embodiments, onboarding server 305 may automatically make such determinations based on some predetermined trust criteria (e.g., threshold values, etc.).
  • client device 322 and onboarding server 305 establish a secure communication channel, which provides access to and allows client device 322 to join a management system as well as other parts of the network.
  • FIGS. 8A-8D collectively illustrate signaling diagrams 801 - 804 , showing call flows or messages sent between network devices during the onboarding processes described herein. For purposes of discussion herein, certain flows or messages common amongst signaling diagrams 801 - 804 are generally referenced by the same number and are discussed when initially presented.
  • FIG. 8A in particular illustrates a signaling diagram 801 , showing a baseline process to onboard a device when client device 322 has a secure unique device identifier (SUDI) (e.g., a built-in SUDI certificate based on a specific hardware trust module).
  • SUDI secure unique device identifier
  • client device 322 boots up attempts to connect to a PnP server service (e.g., access network resources such as those shown in network 105 ) through onboarding server 305 .
  • Client device 322 initiates a secure connection toward the server at step 851 , and in response, onboarding server 305 performs a SUDI check with a customer database 805 .
  • Customer database 805 represents a database inventory that maps device serial numbers, customer profiles (e.g., customer accounts), and PnP account information. Since client device 322 has a valid SUDI, customer database indicates the SUDI is supported at step 853 .
  • Onboarding server 305 and client device 322 perform mutual authentication to establish a secure communication channel using a stored certificate—shown by steps 855 , SUDI based secure authentication and 857 , secure connection with mutual authentication. However, as discussed above, in some instances, some devices may not be SUDI compatible (e.g., may not use appropriate hardware chips, etc.).
  • FIG. 8B illustrates a signaling diagram 802 , showing a non-SUDI onboarding processes, where client device 322 provides additional information to onboarding server 305 and attempts authentication using a certificate signing request (CSR).
  • CSR certificate signing request
  • client device 322 follows steps 851 and 852 .
  • customer database 805 indicates SUDI authentication is unsupported.
  • onboarding server 305 sends a forbidden device message in step 856 , which triggers a CSR from client device 322 in step 858 .
  • Onboarding server 305 receives the CSR as well as additional information such as a device identifier (e.g., serial number, MAC address), an IP address, geolocation information, hardware/software configuration information, neighbor device information (e.g., using Cisco Discovery Protocol, etc.), and the like. Onboarding server 305 generates a trust score based on various trust values (e.g., configuration trust value 405 , location trust value 410 , environment trust value 505 , and activation trust value 605 ), discussed above. Onboarding server 305 further checks with customer database 805 , at step 859 , for customer account information associated with client device 322 .
  • a device identifier e.g., serial number, MAC address
  • IP address e.g., IP address
  • geolocation information e.g., IP address
  • geolocation information e.g., IP address
  • hardware/software configuration information e.g., using Cisco Discovery Protocol, etc.
  • neighbor device information e.g., using Cisco Discovery Protocol, etc
  • customer database 805 indicates, at step 860 , no customer account (e.g., “no smart account mapped”) is associated with client device 322 . Without an associated customer account, onboarding server 305 rejects, at step 861 , the CSR.
  • no customer account e.g., “no smart account mapped”
  • FIG. 8C illustrates a signaling diagram 803 , showing another non-SUDI onboarding process, where client device 822 is associated with a customer account (e.g., “smart account”). While signaling diagram 802 provides signal flows that describe onboarding server 305 generating trust score 705 , checking customer database for customer account information (step 859 ), and receiving an indication (step 860 ) no customer account is associated with client device 322 , signaling diagram 803 describes signal flows when a customer account is associated with client device 322 . In particular, as shown at step 861 , customer database 805 indicates client device 822 is associated with a customer account—here, “smart account mapped”.
  • customer database 805 indicates client device 822 is associated with a customer account—here, “smart account mapped”.
  • onboarding server 305 determines, in step 862 , the customer profile/account information and sends, in step 863 , an approval notification to an onboard dashboard 810 .
  • Onboard dashboard 810 provides an interface to a user (e.g., network administrator, etc.) and displays approval notifications, device information, trust scores, and the like.
  • a network administrator accesses onboard dashboard 810 to evaluate devices and approve or deny CSRs based on respective trust scores.
  • the network administrator uses dashboard 810 to approve the CSR request in step 864 .
  • onboarding server 305 sends, in step 865 , a signed CSR certificate (e.g., a time-bound CSR) to client device 322 .
  • a signed CSR certificate e.g., a time-bound CSR
  • Client device 322 establishes a secure communication channel with onboarding server 305 using the signed CSR certificate in step 866 .
  • onboarding server 305 may skip step 863 (e.g., sending an approval notification to an onboard dashboard 810 ) and instead, determine the device is trustworthy based on some predetermined criteria. For example, onboarding server 305 can evaluate the trust score for a device and/or for specific devices identified by a serial number, etc. The onboarding server 305 further compares the trust score for the device (or specific devices) against a predetermined threshold value. In this fashion, for large-scale deployments, an onboarding server may automatically approve certain devices without requiring manual approval, intervention, or further user input by onboard dashboard 810 .
  • signaling diagram 803 also illustrates an initial or first time approval/authentication process. It is appreciated, however, after performing this initial process, client device 322 can use the signed certificate on an ongoing basis without requiring the same initial information burden.
  • FIG. 8D illustrates a signaling diagram 804 , showing an onboarding process using a mobile application—e.g., onboard mobile application 815 .
  • signaling diagram 804 illustrates operations and signal flows between client device 322 , onboarding server 305 , and customer database 805 .
  • customer database 805 indicates a customer account is associated with client device 322 (step 861 —“smart account mapped”)
  • onboarding server 305 further identifies, in step 867 , a mobile application user for the customer account and further notifies, in step 868 , onboard mobile application 815 (e.g., the mobile application user) to evaluate the CSR.
  • Onboard mobile application 815 may provide, for example, a display notification on a mobile device similar to the notifications shown by onboard dashboard 810 .
  • onboarding server 305 sends, in step 865 , a signed CSR certificate (e.g., a time-bound CSR) to client device 322 .
  • Client device 322 establishes a secure communication channel with onboarding server 305 using the signed CSR certificate in step 866 .
  • Signaling diagram 804 generally illustrates notification and authorization by a mobile application.
  • the mobile device is used by an administrator/installer the mobile application.
  • the mobile device connects to onboarding server 305 , which authenticates the user with role-based access control and multifactor web authentication mechanisms.
  • the administrator/installer can use onboard mobile application 815 to manually validate client device 322 by physically connecting to the device, scanning a device identification tag (e.g., RFID tag, etc.), or performing a network scan using onboard mobile application 815 while onsite/connected to a local network.
  • the mobile application may employ a layer 3 application (e.g., mDNS) that broadcasts a rotating secure ID.
  • the locally connected mobile application can be linked to a central cite, which can confirm the broadcast matches what the mobile application sees. With both devices on the same network and physically present, the installer can trust the credentials, and thus, the applicant device.
  • FIGS. 8A-8D illustrate onboarding processes described by call flows or messages sent between network devices when, for example, an applicant device has a built in secure unique device identifier (SUDI) (signaling diagram 801 ), an applicant device does not have a SUDI nor is the applicant device associated with customer account information (signaling diagram 802 ), an applicant device is associated with customer account information and notifications are sent to an onboard dashboard (signaling diagram 803 ) or sent to an onboard mobile application (signaling diagram 804 ).
  • SUDI secure unique device identifier
  • FIGS. 8A-8D collectively illustrate signaling diagrams 801 - 804 , showing call flows or messages sent between network devices during the onboarding processes described herein. It should be noted that certain steps within signaling diagrams 801 - 804 may be optional, and further, the steps shown in FIGS. 8A-8D are merely examples for illustration—certain other steps may be included or excluded as desired. Further, while a particular order of the steps is shown, this ordering is merely illustrative, and any suitable arrangement of the steps may be utilized without departing from the scope of the embodiments herein.
  • FIG. 9 illustrates a schematic diagram of an example onboard dashboard display 900 , showing applicant devices, indicated by applicant device identifiers 910 , respective status 915 (e.g., “trusted” or “untrusted”), and an action menu 920 (e.g., “approve CSR” or “deny CSR”).
  • Onboard dashboard display 900 may represent a graphical interface used by, for example, onboard dashboard 810 and/or onboard mobile application 815 .
  • trust scores such as the illustrated trust score 925 , are determined based on a host of trust values, including an environment trust value, an activation trust value, a location trust value, a configuration trust value, and/or combinations thereof.
  • onboard dashboard 810 may provide a manual override interface to an otherwise automatic approval/denial process, where an onboarding server (e.g., onboarding server 305 ) automatically approves/denies CSRs from applicant devices based on predetermined criteria (as discussed above).
  • an onboarding server e.g., onboarding server 305
  • predetermined criteria as discussed above.
  • FIG. 10 an example simplified procedure 1000 for onboarding an applicant device, particularly from the perspective of an onboarding server (e.g., onboarding server 305 ).
  • an onboarding server e.g., onboarding server 305 .
  • Procedure 1000 begins at step 1005 and continues on to step 1010 where, as discussed above, the onboarding server receives a certificate signing request (CSR) as well as onboarding information for an applicant device.
  • CSR certificate signing request
  • the onboarding information typically includes applicant device identifier (e.g., serial number, MAC, etc.), an Internet Protocol (IP) address, device configuration parameters (e.g., hardware, software, etc.), and the like.
  • applicant device identifier e.g., serial number, MAC, etc.
  • IP Internet Protocol
  • device configuration parameters e.g., hardware, software, etc.
  • onboarding server identifies a customer associated with the applicant device (e.g., a smart account, etc.) based on the applicant device identifier. For example the onboarding server communicates with a database of device identifiers for registered devices associated with one or more customers and matches the applicant device identifier to one of the customers. The onboarding server also determines, in step 1015 , one of the registered devices associated with the customer is a trusted device and determines a location trust value for the applicant device, in step 1020 , based on a geolocation proximity between the applicant IP address and a trusted IP address for the trusted device.
  • a customer associated with the applicant device e.g., a smart account, etc.
  • the onboarding server communicates with a database of device identifiers for registered devices associated with one or more customers and matches the applicant device identifier to one of the customers.
  • the onboarding server also determines, in step 1015 , one of the registered devices associated with the customer is a trusted device and determines a location trust value for the
  • the onboarding device also determines an environment trust value, in step 1025 for the applicant device based on a proximity in a network topology (e.g., using discovery protocols to discover neighboring devices) between the applicant device and the trusted device.
  • a network topology e.g., using discovery protocols to discover neighboring devices
  • the onboarding server further determines, in step 1030 , a configuration trust value based on applicant device configuration parameters (e.g., hardware, processors, memory, software, operating systems, service modules, etc.). For example, the onboarding server may lookup expected device configurations for the applicant device and compare such expected device configurations to actual device configurations provided by the applicant device and/or provided by neighboring devices that communicate with the applicant device.
  • applicant device configuration parameters e.g., hardware, processors, memory, software, operating systems, service modules, etc.
  • the onboarding server determines an activation trust value based on an activation time and an authorized activation time-period. For example, as discussed above, the onboarding server can compare a time between device boot-up and the CSR request and/or compare a time stamp associated with the CSR request and an activation window (e.g., a time period) for onboarding the applicant device.
  • an activation trust value based on an activation time and an authorized activation time-period. For example, as discussed above, the onboarding server can compare a time between device boot-up and the CSR request and/or compare a time stamp associated with the CSR request and an activation window (e.g., a time period) for onboarding the applicant device.
  • the onboarding server evaluates the various trust values, e.g., the location trust value, the environment trust value, the configuration trust value and/or the activation trust value, to determine, in step 1040 , an overall trust score for the applicant device.
  • the trust score can be displayed on a dashboard or other user interface (e.g., mobile application, etc.) for user approval.
  • the onboarding server may make an automatic determination to trust (or deny) the applicant device based on the trust score exceeding some predetermined criteria/value.
  • the onboarding server sends, in step 1045 , a signed certificate (CSR) to the applicant device and establishes, in step 1050 , a secure communication channel with the applicant device.
  • Procedure 1000 subsequently ends in step 1055 , but may continue on to step 1010 where, as discussed above, the onboarding server receives a certificate signing request (CSR) from an applicant device.
  • CSR certificate signing request
  • procedure 1000 may be optional, and further, the steps shown in FIG. 10 are merely examples for illustration—certain other steps may be included or excluded as desired. Further, while a particular order of the steps is shown, this ordering is merely illustrative, and any suitable arrangement of the steps may be utilized without departing from the scope of the embodiments herein.
  • procedure 1000 is described with respect to an onboarding server, certain operations may be executed by devices or modules running by a distributed network of devices.
  • the techniques herein provide a mechanism to enable onboarding applicant devices and leverage multiple novel factors/criteria/inputs (e.g., individual trust values, overall trust scores, etc.). These techniques provide a secure and scalable solution to onboarding a large number of devices based on predetermined criteria.
  • the techniques are flexible and can employ automatic approval policies or may also employ a simplified and easy to understand interface (e.g., a dashboard), which can be used to manually approve devices.
  • Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network.
  • the computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
  • devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors.
  • Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, and so on.
  • Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
  • Instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures. Accordingly this description is to be taken only by way of example and not to otherwise limit the scope of the embodiments herein. Therefore, it is the object of the appended claims to cover all such variations and modifications as come within the true spirit and scope of the embodiments herein.

Abstract

A server receives a certificate signing request and onboarding information for an applicant device, and identifies a customer associated with the applicant device based on an applicant device identifier and a database identifiers associated with customers. The device determines a registered device associated with the customer is a trusted device, a location trust value for the applicant device based on a geolocation proximity between the applicant device and the trusted device, and an environment trust value for the applicant device based on a proximity in a network topology between the applicant device and the trusted device. The device further determines a trust score for the applicant device based on the location trust value and the environment trust value, and sends a signed certificate to the applicant device over the network when the trust score for the applicant device exceeds a threshold.

Description

TECHNICAL FIELD
This disclosure relates generally to communications systems, more particularly, to multifactor authentication for securing communication channels.
BACKGROUND
Authentication remains a persistent technical problem in our modern information age, driven, in part, by an ever-increasing reliance on network accessible hardware, cloud-based services, as well as a proliferation of untrusted applications and untrusted networks. Generally, authentication is part of an overall security process to determine trustworthiness of an applicant device (or application, service, user, etc.) prior to establishing a secure communication channel. Typically, authentication techniques are described in terms of the number of factors used to identify/verify the applicant device. For example, a typical username/password process includes a two-factor authentication in that a user provides two pieces of information for authentication. Moreover, authentication processes that involve more factors are often more secure (e.g., multifactor authentication processes), however, employing additional factors often involves additional complexity, cost, and time.
BRIEF DESCRIPTION OF THE DRAWINGS
The embodiments herein may be better understood by referring to the following description in conjunction with the accompanying drawings in which like reference numerals indicate identical or functionally similar elements. Understanding that these drawings depict only exemplary embodiments of the disclosure and are not therefore to be considered to be limiting of its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which:
FIG. 1 illustrates an example communication environment;
FIG. 2 illustrates an example device for performing the onboarding techniques disclosed herein;
FIG. 3 illustrates another communication environment, showing various applicant devices and an onboarding server;
FIG. 4 illustrates the communication environment of FIG. 3, showing the onboarding server operatively determining a location trust value and a configuration trust value for one of the client devices;
FIG. 5 illustrates the communication environment of FIG. 3, showing the onboarding server operatively determining an environment trust value for one of the client devices;
FIG. 6 illustrates the communication environment of FIG. 3, showing the onboarding server operatively determining an environment trust value for one of the client devices;
FIG. 7 illustrates the communication environment of FIG. 3, showing the onboarding server operatively determining an overall trust score for one of the client devices;
FIG. 8A illustrates a signaling diagram for onboarding an applicant device, showing signal flows for an applicant device that has a secure unique device identifier;
FIG. 8B illustrates a signaling diagram for onboarding an applicant device, showing signal flows for an applicant device that does not have the secure unique device identifier nor an associated customer account;
FIG. 8C illustrates a signaling diagram for onboarding an applicant device, showing signal flows for an applicant device using an onboard dashboard;
FIG. 8D illustrates a signaling diagram for onboarding an applicant device, showing signal flows for an applicant device using a mobile application;
FIG. 9 illustrates a schematic diagram of an example onboard dashboard display, showing applicant devices and associated trust scores; and
FIG. 10 illustrates an exemplary simplified procedure for onboarding an applicant devices, particularly from the perspective of the onboarding server shown in FIG. 3.
 DESCRIPTION OF EXAMPLE EMBODIMENTS Overview
According to one or more embodiments of the disclosure, an onboarding server performs a multifactor trust/authentication process to onboard an applicant device—e.g., to secure a communication channel between the applicant device and one or more other network devices (e.g., cloud based resources, etc.). For example, in one embodiment, the server receives a certificate signing request (CSR) and onboarding information for an applicant device, where the onboarding information includes at least an applicant device identifier and an applicant Internet Protocol (IP) address. The server also identifies a customer associated with the applicant device based on the applicant device identifier and a database of device identifiers (e.g., a lookup database) for registered devices associated with one or more customers. The server further determines at least one of the registered devices is associated with the customer is a trusted device, and determines a location trust value, an environment trust value, and a trust score based on the location trust value/environment trust value. For example, the server determines the location trust value based on a geolocation proximity between the applicant IP address and a trusted IP address for the trusted device, and determines the environment trust value based on a proximity in a network topology between the applicant device and the trusted device. The server sends a signed certificate, corresponding to the CSR, to the applicant device when the trust score for the applicant device exceeds a threshold.
Description
Various embodiments of the disclosure are discussed in detail below. While specific implementations are discussed, it should be understood that this is done for illustration purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without parting from the spirit and scope of the disclosure.
As noted above, modern businesses increasingly rely on network accessible hardware and software. In this context, network based computing or “cloud” computing generally refers to a collection of computing resources, such as hardware, software, applications, services, etc., allocated to and accessible by customers over one or more communication networks (e.g., the Internet). Operatively, customer devices communicate within and across networks to register, lease, coordinate, or otherwise secure network based computing resources based on customer needs.
A communication network is a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end nodes, such as personal computers and workstations, or other devices, such as sensors, etc. Many types of networks are available, ranging from local area networks (LANs) to wide area networks (WANs). LANs typically connect these nodes over dedicated private communications links located in the same general physical location, such as a building or campus. WANs, on the other hand, typically connect geographically dispersed nodes over long-distance communications links, such as common carrier telephone lines, optical lightpaths, synchronous optical networks (SONET), synchronous digital hierarchy (SDH) links, etc.
FIG. 1 illustrates an example communication network environment 100 illustratively comprising a network 105, such as an enterprise network or data center network, as well as a network 110, such as a public network like the Internet. It is appreciated that various other types of networks and/or sub-divisions within these networks are often present; however, communication network environment 100 is illustrated and described herein for purposes of discussion and simplicity.
As shown, network 105 include nodes/devices 106 (e.g., routers, switches, servers, and the like) interconnected by communication links 108. Communication links 108 may be wired links or shared media (e.g., wireless links, etc.) where certain devices may be in communication with other nodes/devices based on, for example, distance, signal strength, network/node topology, current operational status, location, etc. Data packets 140 (e.g., traffic and/or messages) may be exchanged among the nodes/devices 106 in communication network environment 100 using predefined network communication protocols such as certain known wired protocols (e.g., Interior Gateway Protocol (IGP), Exterior Border Gateway Protocol (E-BGP), TCP/IP, etc.), wireless protocols (e.g., IEEE Std. 802.15.4, WiFi, Bluetooth®, etc.), PLC protocols, or other shared-media protocols where appropriate. In this context, a protocol consists of a set of rules defining how the nodes interact with each other. Those skilled in the art will also understand that any number of computing resources, devices, links, etc. may be used in network 105, and that the view shown herein is for simplicity.
Notably, certain nodes/devices 106 in network 105 include “edge” devices interconnected with an onboarding server 200. Onboarding server 200 operatively facilitates communications between one or more client devices 120 in network 110 and network resources (e.g., devices 106) in network 105, as discussed in greater detail below.
FIG. 2 is a schematic block diagram of an example device 200 (e.g., an onboarding server, etc.) that may be used with one or more embodiments described herein. Device 200 may comprise one or more network interfaces 210 (e.g., wired, wireless, PLC, etc.), at least one processor 220, and a memory 240 interconnected by a system bus 250.
Device 200 may comprise one or more network interfaces 210, at least one processor 220, and a memory 240 interconnected by a system bus 250. Network interface(s) 210 contain the mechanical, electrical, and signaling circuitry for communicating data over links coupled to one or more of the networks shown in communication environment 100. Network interfaces 210 may be configured to transmit and/or receive data using a variety of different communication protocols, as will be understood by those skilled in the art.
Memory 240 comprises a plurality of storage locations that are addressable by processor 220 for storing software programs and data structures associated with the embodiments described herein. Processor 220 may comprise necessary elements or logic adapted to execute the software programs and manipulate data structures 245. An operating system 242, portions of which are typically resident in memory 240 and executed by processor 220, functionally organizes the device by, inter alia, invoking operations in support of software processes and/or services executing on the device. These software processes and/or services may comprise an illustrative “onboarding” process/service 244, as described herein. Note that while process/service 244 is shown in centralized memory 240, some embodiments provide for these processes/services to be operated in a distributed computing network.
It will be apparent to those skilled in the art that other processor and memory types, including various computer-readable media, may be used to store and execute program instructions pertaining to the techniques described herein. For example, the techniques described herein may be performed by hardware, software, and/or firmware, such as in accordance with the illustrative onboarding process 244, which may contain computer executable instructions executed by the processor 220 to perform functions relating to the techniques described herein. Also, while this disclosure describes various processes, it is expressly contemplated such processes may be embodied as modules configured to operate in accordance with the techniques herein (e.g., according to the functionality of a similar process). Further, while the processes have been shown separately, those skilled in the art will appreciate that processes may be routines or modules within other processes. For example, processor 220 can include one or more programmable processors, e.g., microprocessors or microcontrollers, or fixed-logic processors. In the case of a programmable processor, any associated memory, e.g., memory 240, may be any type of tangible processor readable memory, e.g., random access, read-only, etc., that is encoded with or stores instructions that can implement program modules. Processor 220 can also include a fixed-logic processing device, such as an application specific integrated circuit (ASIC) or a digital signal processor that is configured with firmware comprised of instructions or logic that can cause the processor to perform the functions described herein. Thus, program modules may be encoded in one or more tangible computer readable storage media for execution, such as with fixed logic or programmable logic, e.g., software/computer instructions executed by a processor, and any processor may be a programmable processor, programmable digital logic, e.g., field programmable gate array, or an ASIC that comprises fixed digital logic, or a combination thereof. In general, any process logic may be embodied in a processor or computer readable medium that is encoded with instructions for execution by the processor that, when executed by the processor, are operable to cause the processor to perform the functions described herein.
As noted above, authentication remains a persistent technical problem in our modern information age. In the context of multifactor authentication, challenges arise when balancing cost, complexity, convenience, scalability, and overall security. For example, although employing multiple authentication factors may improve security, each additional factor may also increase an overall system complexity, which, in turn, may limit system scalability. While some manufacturers employ hardware based solutions for registering and authenticating devices (e.g., chip level identity packages, secure unique device identifiers certificate and certificate chains, etc.), current deployments of client devices may include legacy and/or non-compatible devices that do not support such hardware based solutions.
Accordingly, the techniques disclosed herein provide security mechanisms to onboard a variety of devices using multifactor authentication, which includes determining trust scores and generating signed certificates. In addition, the techniques herein support onsite applications (e.g., mobile devices) for registering applicant devices as well as dashboard driven trust scores that support initial (e.g., first-time) registrations based on device characteristics, deployment environment (e.g., network topology) information, and the like. After initial registration, the techniques also provide certificate signing request (CSR) processes, initiated by registered devices, for ongoing and seamless communications.
FIG. 3 illustrates another example communication environment 300 for performing onboarding processes according to one or more embodiments of this disclosure. Communication environment 300 includes network 105 (e.g., a data center network), network 110 (e.g., local or client side network), and an onboarding server 305. Onboarding server 305 can represent device 200 (and/or component features thereof). Communication environment also illustrates various client devices, including client devices 321, 322, 323, and 324.
Onboarding server 305 may include a Plug-n-Play (PnP) server operable to collect multiple data points about client devices 321-324 in their respective environment and translate such data points into an overall trust score. This trust score provides a confidence measure based on various factors which will be used by, for example, a network administrator (e.g., using a central onboarding dashboard, a mobile application, etc.) or an automatic process to make a decision whether or not to trust certain devices (e.g., when the overall trust score exceeds a threshold value).
As shown, the client devices 321-324 can include switches, routers, servers, and the like. In addition, client device 322 represents a new or applicant device that attempts to initially establish a secure communication channel for communicating with or otherwise accessing network resources in network 105 (e.g., data center resources). Onboarding server 305 evaluates information corresponding to client device 322 as well as information regarding the environment around or about client device 322. For example, onboarding server 305 collects an applicant device ID, an IP address/geolocation based on the IP address, and device configuration information corresponding to client device 322. In addition, onboarding server 305 also collects environment information in which client device 322 operates. This environment information includes, for example, neighbor device information corresponding to client devices 321, 323 and 324, including neighbor device IDs, IP addresses/geo-locations, and respective device configurations.
FIG. 4 illustrates a schematic diagram 400, showing a process to determine a location trust value 405 and a configuration trust value 410 for client device 322. In operation, onboarding server 305 receives the applicant device ID (e.g., a serial number, a media access control (MAC) address, other device specific identifiers, etc.) and, based on the device ID, determines a customer profile 415 as well as an expected device configuration—e.g., here, a profile 420, which includes expected configuration parameters associated with client device 322. For example, onboarding server 305 may access a database of customer accounts with individual customer profiles, where each customer profile includes a list of registered/trusted devices and registered/trusted device information. As shown, the customer profile 415 includes registered/trusted device information for client devices 323 and 324 (and includes device identifiers and respective IP addresses (or geolocations)).
Onboarding server 305 further determines the geolocations and/or IP ranges for registered/trusted devices associated with customer profile 415 and compares these geolocations/IP ranges to an IP address/geolocation for client device 322. In addition, onboarding server 305 determines location trust value 405 based on a nearness or proximity (e.g., geolocation proximity) between client device 322 and registered/ trusted client devices 323 and 324. As shown, the IP address for client device 322 is within the IP address ranges for client devices 323 and 324, which corresponds to an increased level or trust, or an increased location trust value 405. In contrast, an IP address (or geolocation) for client device 322 outside the IP address ranges (or located at a distant or unexpected geographic location) indicates a decreased level of trust or a decreased location trust value 405 (or may even result in a null or 0 value). In this fashion, onboarding server 305 compares actual location information for client device 322 to other known locations of trusted/registered neighboring devices for the same customer, thereby helping to ensure client device 322 is physically present at or near an expected location (and not a rogue device attempting to hack into network 105).
With respect to determining a configuration trust value 410, onboarding server 305 determines expected configuration parameters (e.g., hardware components/software components/etc.) for client device 322 based on the applicant device ID. For example, onboarding server 305 can access a database of configuration parameters associated with device identifiers (e.g., manufacturing serial numbers, etc.), where each device identifier is matched to configuration parameters such as device type, manufacturer, a number of processors, types of memory, storage capacity, add-on modules, software configurations/modules, operating systems/versions, base licensing information, port capacity, and the like. Onboarding server 305 compares the expected configuration parameters with the actual configuration parameters received from client device 322 to determine configuration trust value 410. In operation, matching configuration parameters correspond to an increased level of trust, or an increased configuration trust value 410, while non-matching configuration parameters correspond to a decreased level of trust, or a decreased configuration trust value 410.
FIG. 5 illustrates a schematic diagram 500, showing a process to determine an environment trust value 505 for client device 322. In operation, onboarding server 305 uses a network discovery protocol (e.g., neighbor discovery, Cisco discovery, inverse neighbor discovery, secure neighbor discovery, and so on) to determine devices neighboring with or connected to client device 322. In this fashion, onboarding server 305 can determine a network topology for devices proximate to client device 322. Once discovered, onboarding server 305 may determine neighbor device information (e.g., serial numbers, types of devices, etc.) and verify such information with customer profiles and trusted/registered devices (e.g., for a deployment site, etc.), as discussed above. Here, onboarding server 305 increases environment trust value 505 for neighboring devices cross-verified with trusted/registered devices for a customer site and decreases environment trust value 505 for non-matching devices.
FIG. 6 illustrates a schematic diagram 600, showing a process to determine an activation trust value 605 for client device 322. In one embodiment, onboarding server 305 receives time stamp 602, which represents the time information when client device 322 sends an initial request (e.g., a certificate signing request (CSR), etc.) to onboarding server 305. Onboarding server 305 also determines a system “up-time” for client device 322, which represents time information corresponding to when the client device was booted up. As is appreciated by those skilled in the art, client device 322 may provide the system up-time to onboarding server 305 in response to a request, or by other request/response mechanisms. Onboarding server 305 determines a time difference between the system up-time and time stamp 602 and compares such time difference to an activation window 610 (e.g., an authorized activation time-period). Activation window 610 represents a threshold window of time between client device 322 booting up and sending the initial request. Onboarding server 305 increases activation trust value 605 when the time difference is within activation window 610, and decreases activation trust value 605 when the time difference is outside of activation window 610.
In another embodiment, activation window 610 may represent an absolute time or time-period, within which client device 322 must send its initial request to onboarding server 305. As is appreciated by those skilled in the art, customers who purchase network equipment often setup such equipment at a customer site within a specified time-period. Such time-period may be based on a customer schedule and/or it may be coordinated with the manufacturer (or 3rd party seller). As shown, activation window 610 can represent the time-period within which a customer is expected to activate or setup client device 322. In operation, onboarding server 305 receives the initial onboard request, determines the initial request time (e.g., based on time stamp 602), and compares the initial request time to activation window 610. Here, onboarding server 305 increases activation trust value 605 when the time stamp associated with the initial request falls within activation window 610 and decreases activation trust value 605 when the time stamp associated with the initial request falls outside activation window 510.
FIG. 7 illustrates a schematic diagram 700, showing a process to combine multiple trust values into a comprehensive trust score 705. As discussed above, onboarding server 305 determines the various trust values, including location trust value 405, configuration trust value 410, environment trust value 505, and activation trust value 605. Onboarding server 305 further compiles or aggregates these trust values into a single trust score 705, which is represented by a number “60”, e.g., on a scale of 0-100, where 0 is untrustworthy and 100 is trustworthy. While onboarding server 305 determines trust score 705 as a numerical value on a particular scale, it is appreciated, any value, metric, or scale may be used to represent trustworthiness or untrustworthiness for trust score 705 (e.g., numbers, percentages, colors, charts, diagrams, etc.). In addition, it is also appreciated that individual trust scores may (or may not) be dispositive ultimate determinations to trust (or not trust) an applicant device. Moreover, some trust values may be emphasized over others by employing weights, ranks, priorities, and the like, as is appreciated by those skilled in the art. In this fashion, trust score 705 provides a confidence measure based on various factors which can be used in an automatic onboarding process (e.g., based on some predetermined criteria) or evaluated by a network administrator using a central onboarding dashboard (or mobile application).
Referring collectively FIGS. 3-7, onboarding server 305 operates to evaluate information corresponding to client device 322 (as well as other information regarding the environment around/about client device 322), determine trust values (e.g., location trust value 405, configuration trust value 410, environment trust value 505, activation trust value 605, etc.), and generate a trust score (e.g., trust score 705) based on the same. In some embodiments, a network administrator (or a user with appropriate privileges) evaluates the trust score to determine if client device 322 is trustworthy while in other embodiments, onboarding server 305 may automatically make such determinations based on some predetermined trust criteria (e.g., threshold values, etc.). Once trusted, client device 322 and onboarding server 305 establish a secure communication channel, which provides access to and allows client device 322 to join a management system as well as other parts of the network.
FIGS. 8A-8D collectively illustrate signaling diagrams 801-804, showing call flows or messages sent between network devices during the onboarding processes described herein. For purposes of discussion herein, certain flows or messages common amongst signaling diagrams 801-804 are generally referenced by the same number and are discussed when initially presented.
FIG. 8A in particular illustrates a signaling diagram 801, showing a baseline process to onboard a device when client device 322 has a secure unique device identifier (SUDI) (e.g., a built-in SUDI certificate based on a specific hardware trust module). As shown, client device 322 boots up attempts to connect to a PnP server service (e.g., access network resources such as those shown in network 105) through onboarding server 305. Client device 322 initiates a secure connection toward the server at step 851, and in response, onboarding server 305 performs a SUDI check with a customer database 805. Customer database 805 represents a database inventory that maps device serial numbers, customer profiles (e.g., customer accounts), and PnP account information. Since client device 322 has a valid SUDI, customer database indicates the SUDI is supported at step 853. Onboarding server 305 and client device 322 perform mutual authentication to establish a secure communication channel using a stored certificate—shown by steps 855, SUDI based secure authentication and 857, secure connection with mutual authentication. However, as discussed above, in some instances, some devices may not be SUDI compatible (e.g., may not use appropriate hardware chips, etc.).
FIG. 8B illustrates a signaling diagram 802, showing a non-SUDI onboarding processes, where client device 322 provides additional information to onboarding server 305 and attempts authentication using a certificate signing request (CSR). As shown, after initial boot-up, client device 322 follows steps 851 and 852. However, in step 854, customer database 805 indicates SUDI authentication is unsupported. In response, onboarding server 305 sends a forbidden device message in step 856, which triggers a CSR from client device 322 in step 858. Onboarding server 305 receives the CSR as well as additional information such as a device identifier (e.g., serial number, MAC address), an IP address, geolocation information, hardware/software configuration information, neighbor device information (e.g., using Cisco Discovery Protocol, etc.), and the like. Onboarding server 305 generates a trust score based on various trust values (e.g., configuration trust value 405, location trust value 410, environment trust value 505, and activation trust value 605), discussed above. Onboarding server 305 further checks with customer database 805, at step 859, for customer account information associated with client device 322. However, customer database 805 indicates, at step 860, no customer account (e.g., “no smart account mapped”) is associated with client device 322. Without an associated customer account, onboarding server 305 rejects, at step 861, the CSR.
FIG. 8C illustrates a signaling diagram 803, showing another non-SUDI onboarding process, where client device 822 is associated with a customer account (e.g., “smart account”). While signaling diagram 802 provides signal flows that describe onboarding server 305 generating trust score 705, checking customer database for customer account information (step 859), and receiving an indication (step 860) no customer account is associated with client device 322, signaling diagram 803 describes signal flows when a customer account is associated with client device 322. In particular, as shown at step 861, customer database 805 indicates client device 822 is associated with a customer account—here, “smart account mapped”. After customer database 805 identifies the customer account, onboarding server 305 determines, in step 862, the customer profile/account information and sends, in step 863, an approval notification to an onboard dashboard 810. Onboard dashboard 810 provides an interface to a user (e.g., network administrator, etc.) and displays approval notifications, device information, trust scores, and the like. A network administrator (or a user with appropriate privileges) accesses onboard dashboard 810 to evaluate devices and approve or deny CSRs based on respective trust scores. Here, the network administrator uses dashboard 810 to approve the CSR request in step 864. In response, onboarding server 305 sends, in step 865, a signed CSR certificate (e.g., a time-bound CSR) to client device 322. Client device 322 establishes a secure communication channel with onboarding server 305 using the signed CSR certificate in step 866.
Notably, in some embodiments, onboarding server 305 may skip step 863 (e.g., sending an approval notification to an onboard dashboard 810) and instead, determine the device is trustworthy based on some predetermined criteria. For example, onboarding server 305 can evaluate the trust score for a device and/or for specific devices identified by a serial number, etc. The onboarding server 305 further compares the trust score for the device (or specific devices) against a predetermined threshold value. In this fashion, for large-scale deployments, an onboarding server may automatically approve certain devices without requiring manual approval, intervention, or further user input by onboard dashboard 810.
In addition, signaling diagram 803 also illustrates an initial or first time approval/authentication process. It is appreciated, however, after performing this initial process, client device 322 can use the signed certificate on an ongoing basis without requiring the same initial information burden.
FIG. 8D illustrates a signaling diagram 804, showing an onboarding process using a mobile application—e.g., onboard mobile application 815. Similar to signaling diagram 803, discussed above, signaling diagram 804 illustrates operations and signal flows between client device 322, onboarding server 305, and customer database 805. However, after customer database 805 indicates a customer account is associated with client device 322 (step 861—“smart account mapped”), onboarding server 305 further identifies, in step 867, a mobile application user for the customer account and further notifies, in step 868, onboard mobile application 815 (e.g., the mobile application user) to evaluate the CSR. Onboard mobile application 815 may provide, for example, a display notification on a mobile device similar to the notifications shown by onboard dashboard 810.
Here, the user approves the CSR request at step 869, and in response, onboarding server 305 sends, in step 865, a signed CSR certificate (e.g., a time-bound CSR) to client device 322. Client device 322 establishes a secure communication channel with onboarding server 305 using the signed CSR certificate in step 866. Signaling diagram 804 generally illustrates notification and authorization by a mobile application. Typically, the mobile device is used by an administrator/installer the mobile application. The mobile device connects to onboarding server 305, which authenticates the user with role-based access control and multifactor web authentication mechanisms.
In addition, for onsite personnel, the administrator/installer can use onboard mobile application 815 to manually validate client device 322 by physically connecting to the device, scanning a device identification tag (e.g., RFID tag, etc.), or performing a network scan using onboard mobile application 815 while onsite/connected to a local network. For example, the mobile application may employ a layer 3 application (e.g., mDNS) that broadcasts a rotating secure ID. The locally connected mobile application can be linked to a central cite, which can confirm the broadcast matches what the mobile application sees. With both devices on the same network and physically present, the installer can trust the credentials, and thus, the applicant device.
Collectively, FIGS. 8A-8D illustrate onboarding processes described by call flows or messages sent between network devices when, for example, an applicant device has a built in secure unique device identifier (SUDI) (signaling diagram 801), an applicant device does not have a SUDI nor is the applicant device associated with customer account information (signaling diagram 802), an applicant device is associated with customer account information and notifications are sent to an onboard dashboard (signaling diagram 803) or sent to an onboard mobile application (signaling diagram 804).
FIGS. 8A-8D collectively illustrate signaling diagrams 801-804, showing call flows or messages sent between network devices during the onboarding processes described herein. It should be noted that certain steps within signaling diagrams 801-804 may be optional, and further, the steps shown in FIGS. 8A-8D are merely examples for illustration—certain other steps may be included or excluded as desired. Further, while a particular order of the steps is shown, this ordering is merely illustrative, and any suitable arrangement of the steps may be utilized without departing from the scope of the embodiments herein.
FIG. 9 illustrates a schematic diagram of an example onboard dashboard display 900, showing applicant devices, indicated by applicant device identifiers 910, respective status 915 (e.g., “trusted” or “untrusted”), and an action menu 920 (e.g., “approve CSR” or “deny CSR”). Onboard dashboard display 900 may represent a graphical interface used by, for example, onboard dashboard 810 and/or onboard mobile application 815. In general, as discussed above, trust scores, such as the illustrated trust score 925, are determined based on a host of trust values, including an environment trust value, an activation trust value, a location trust value, a configuration trust value, and/or combinations thereof. In addition, in some embodiments, onboard dashboard 810 may provide a manual override interface to an otherwise automatic approval/denial process, where an onboarding server (e.g., onboarding server 305) automatically approves/denies CSRs from applicant devices based on predetermined criteria (as discussed above).
FIG. 10 an example simplified procedure 1000 for onboarding an applicant device, particularly from the perspective of an onboarding server (e.g., onboarding server 305).
Procedure 1000 begins at step 1005 and continues on to step 1010 where, as discussed above, the onboarding server receives a certificate signing request (CSR) as well as onboarding information for an applicant device. As discussed above, the onboarding information typically includes applicant device identifier (e.g., serial number, MAC, etc.), an Internet Protocol (IP) address, device configuration parameters (e.g., hardware, software, etc.), and the like.
Next, in step 1010, onboarding server identifies a customer associated with the applicant device (e.g., a smart account, etc.) based on the applicant device identifier. For example the onboarding server communicates with a database of device identifiers for registered devices associated with one or more customers and matches the applicant device identifier to one of the customers. The onboarding server also determines, in step 1015, one of the registered devices associated with the customer is a trusted device and determines a location trust value for the applicant device, in step 1020, based on a geolocation proximity between the applicant IP address and a trusted IP address for the trusted device.
In addition, the onboarding device also determines an environment trust value, in step 1025 for the applicant device based on a proximity in a network topology (e.g., using discovery protocols to discover neighboring devices) between the applicant device and the trusted device.
The onboarding server further determines, in step 1030, a configuration trust value based on applicant device configuration parameters (e.g., hardware, processors, memory, software, operating systems, service modules, etc.). For example, the onboarding server may lookup expected device configurations for the applicant device and compare such expected device configurations to actual device configurations provided by the applicant device and/or provided by neighboring devices that communicate with the applicant device.
In step 1035, the onboarding server determines an activation trust value based on an activation time and an authorized activation time-period. For example, as discussed above, the onboarding server can compare a time between device boot-up and the CSR request and/or compare a time stamp associated with the CSR request and an activation window (e.g., a time period) for onboarding the applicant device.
The onboarding server evaluates the various trust values, e.g., the location trust value, the environment trust value, the configuration trust value and/or the activation trust value, to determine, in step 1040, an overall trust score for the applicant device. As discussed above, the trust score can be displayed on a dashboard or other user interface (e.g., mobile application, etc.) for user approval. In some embodiments, however, the onboarding server may make an automatic determination to trust (or deny) the applicant device based on the trust score exceeding some predetermined criteria/value. Once trusted, the onboarding server sends, in step 1045, a signed certificate (CSR) to the applicant device and establishes, in step 1050, a secure communication channel with the applicant device. Procedure 1000 subsequently ends in step 1055, but may continue on to step 1010 where, as discussed above, the onboarding server receives a certificate signing request (CSR) from an applicant device.
It should be noted that certain steps within procedure 1000 may be optional, and further, the steps shown in FIG. 10 are merely examples for illustration—certain other steps may be included or excluded as desired. Further, while a particular order of the steps is shown, this ordering is merely illustrative, and any suitable arrangement of the steps may be utilized without departing from the scope of the embodiments herein. In addition, although procedure 1000 is described with respect to an onboarding server, certain operations may be executed by devices or modules running by a distributed network of devices.
The techniques herein provide a mechanism to enable onboarding applicant devices and leverage multiple novel factors/criteria/inputs (e.g., individual trust values, overall trust scores, etc.). These techniques provide a secure and scalable solution to onboarding a large number of devices based on predetermined criteria. The techniques are flexible and can employ automatic approval policies or may also employ a simplified and easy to understand interface (e.g., a dashboard), which can be used to manually approve devices.
While there have been shown and described illustrative embodiments and processes executed by an onboarding server, it is to be understood that various other adaptations and modifications may be made within the spirit and scope of the embodiments herein. For example, the embodiments have been shown and described herein with relation to one onboarding server; however, the embodiments in their broader sense are not as limited, and may, in fact, be used with any number of servers, devices, systems, and the like.
The foregoing description has been directed to specific embodiments. It will be apparent, however, that other variations and modifications may be made to the described embodiments, with the attainment of some or all of their advantages. For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software being stored on a tangible (non-transitory) computer-readable medium, devices, and memories (e.g., disks/CDs/RAM/EEPROM/etc.) having program instructions executing on a computer, hardware, firmware, or a combination thereof. Further, methods describing the various functions and techniques described herein can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on. In addition, devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example. Instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures. Accordingly this description is to be taken only by way of example and not to otherwise limit the scope of the embodiments herein. Therefore, it is the object of the appended claims to cover all such variations and modifications as come within the true spirit and scope of the embodiments herein.

Claims (20)

The invention claimed is:
1. A method, comprising:
receiving, by a server, a certificate signing request (CSR) and onboarding information for an applicant device, the onboarding information includes at least an applicant device identifier and an applicant Internet Protocol (IP) address;
identifying, by the server, a customer associated with the applicant device based on the applicant device identifier and a database of device identifiers for registered devices associated with one or more customers;
determining, by the server, at least one of the registered devices associated with the customer is a trusted device;
determining, by the server, a location trust value for the applicant device based on a geolocation proximity between the applicant IP address and a trusted IP address for the trusted device;
determining, by the server, an environment trust value for the applicant device based on a proximity in a network topology between the applicant device and the trusted device;
determining, by the server, a trust score for the applicant device based on the location trust value and the environment trust value;
determining the applicant device is an additional trusted device when the trust score for the applicant device exceeds a threshold;
sending a signed certificate to the applicant device when the trust score for the applicant device exceeds the threshold, the signed certificate corresponds to the CSR; and
establishing a secure communication channel between the server and the applicant device when the trust score exceeds the threshold.
2. The method of claim 1, wherein the onboarding information further comprises actual configuration parameters, the method further comprising:
identifying expected configuration parameters for the applicant device based on the applicant device identifier; and
comparing the actual configuration parameters with the expected configuration parameters to determine a configuration trust value, and
wherein determining the trust score further comprises determining the trust score for the applicant device based on the location trust value, the environment trust value, and the configuration trust value.
3. The method of claim 2, wherein the actual configuration parameters and the expected configuration parameters correspond to one or more hardware components or software components.
4. The method of claim 1, wherein the CSR is associated with an activation time, the method further comprising:
comparing the activation time to an authorized activation time period to determine an activation trust value, and
wherein determining the trust score further comprises determining the trust score for the applicant device based on the location trust value, the environment trust value, and the activation trust value.
5. The method of claim 1, wherein determining the environment trust value further comprises:
discovering one or more neighbor devices in proximity to the applicant device; and
determining at least one neighbor device is the trusted device based on a device identifier for the at least one neighbor device and the database of device identifiers for registered devices associated with one or more customers.
6. The method of claim 1, wherein the applicant device identifier includes at least one of a media access control address (MAC) address or a serial number.
7. The method of claim 1, further comprising:
displaying the trust score to a network administrator; and
receiving an input by the network administrator that indicates the applicant device is the additional trusted device when the trust score for the applicant device exceeds the threshold.
8. A device, comprising:
one or more network interfaces to communicate in a network;
a processor coupled to the network interfaces and adapted to execute one or more processes; and
a memory configured to store a process executable by the processor, the process, when executed, is operable to:
receive a certificate signing request (CSR) and onboarding information for an applicant device, the onboarding information includes at least an applicant device identifier and an applicant Internet Protocol (IP) address;
identify a customer associated with the applicant device based on the applicant device identifier and a database of device identifiers for registered devices associated with one or more customers;
determine at least one of the registered devices associated with the customer is a trusted device;
determine a location trust value for the applicant device based on a geolocation proximity between the applicant IP address and a trusted IP address for the trusted device;
determine an environment trust value for the applicant device based on a proximity in a network topology between the applicant device and the trusted device;
determine a trust score for the applicant device based on the location trust value and the environment trust value;
determine the applicant device is an additional trusted device when the trust score for the applicant device exceeds a threshold;
send a signed certificate to the applicant device over the network, the signed certificate corresponds to the CSR when the trust score for the applicant device exceeds the threshold; and
establish a secure communication channel between the server and the applicant device when the trust score exceeds the threshold.
9. The device of claim 8, wherein the onboarding information further comprises actual configuration parameters, wherein the process, when executed by the processor, is further operable to:
identify expected configuration parameters for the applicant device based on the applicant device identifier; and
compare the actual configuration parameters with the expected configuration parameters to determine a configuration trust value, and
wherein the process to determine the trust score is further operable to determine the trust score for the applicant device based on the location trust value, the environment trust value, and the configuration trust value.
10. The device of claim 9, wherein the actual configuration parameters and the expected configuration parameters correspond to one or more hardware components or software components.
11. The device of claim 8, wherein the CSR is associated with an activation time, wherein the process, when executed by the processor, is further operable to:
compare the activation time to an authorized activation time period to determine an activation trust value, and
wherein the process to determine the trust score is further operable to determine the trust score for the applicant device based on the location trust value, the environment trust value, and the activation trust value.
12. The device of claim 8, wherein the process, when executed by the processor, is further operable to:
provide the trust score to a device associated with a network administrator; and
receive an input by the network administrator that indicates the applicant device is the additional trusted device when the trust score for the applicant device exceeds the threshold.
13. The device of claim 8, wherein the process to determine environment trust value is further operable to:
discover one or more neighbor devices in proximity to the applicant device;
determine at least one neighbor device is the trusted device based on a device identifier for the at least one neighbor device and the database of device identifiers for registered devices associated with one or more customers.
14. The device of claim 8, wherein the applicant device identifier includes at least one of a media access control address (MAC) address or a serial number.
15. A tangible, non-transitory, computer-readable media having instructions encoded thereon, the instructions, when executed by a processor, is operable to:
receive a certificate signing request (CSR) and onboarding information for an applicant device, the onboarding information includes at least an applicant device identifier and an applicant Internet Protocol (IP) address;
identify a customer associated with the applicant device based on the applicant device identifier and a database of device identifiers for registered devices associated with one or more customers;
determine at least one of the registered devices associated with the customer is a trusted device;
determine a location trust value for the applicant device based on a geolocation proximity between the applicant IP address and a trusted IP address for the trusted device;
determine an environment trust value for the applicant device based on a proximity in a network topology between the applicant device and the trusted device;
determine a trust score for the applicant device based on the location trust value and the environment trust value;
determine the applicant device is an additional trusted device when the trust score for the applicant device exceeds a threshold;
send a signed certificate to the applicant device, the signed certificate corresponds to the CSR when the trust score for the applicant device exceeds the threshold; and
establish a secure communication channel between the server and the applicant device when the trust score exceeds the threshold.
16. The tangible, non-transitory, computer-readable media of claim 15, wherein the onboarding information further comprises actual configuration parameters, wherein, the instructions, when executed by a processor, are further operable to:
identify expected configuration parameters for the applicant device based on the applicant device identifier; and
compare the actual configuration parameters with the expected configuration parameters to determine a configuration trust value, and
wherein the instructions to determine the trust score are further operable to determine the trust score for the applicant device based on the location trust value, the environment trust value, and the configuration trust value.
17. The tangible, non-transitory, computer-readable media of claim 15, wherein, the instructions to determine the environment trust value are further operable to:
discover one or more neighbor devices in proximity to the applicant device;
determine at least one neighbor device is the trusted device based on a device identifier for the at least one neighbor device and the database of device identifiers for registered devices associated with one or more customers.
18. The tangible, non-transitory, computer-readable media of claim 15, wherein the CSR is associated with an activation time, wherein the instructions are further operable to:
compare the activation time to an authorized activation time period to determine an activation trust value, and
wherein determining the trust score comprises determining the trust score for the applicant device based on the location trust value, the environment trust value, and the activation trust value.
19. The tangible, non-transitory, computer-readable media of claim 15, wherein the applicant device identifier includes at least one of a media access control address (MAC) address or a serial number.
20. The tangible, non-transitory, computer-readable media of claim 15, wherein the instructions are further operable to:
provide the trust score to a device associated with a network administrator; and
receive a user input that indicates the applicant device is the additional trusted device when the trust score for the applicant device exceeds the threshold.
US15/794,259 2017-10-26 2017-10-26 Techniques for onboarding devices based on multifactor authentication Active 2038-12-08 US10826889B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/794,259 US10826889B2 (en) 2017-10-26 2017-10-26 Techniques for onboarding devices based on multifactor authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/794,259 US10826889B2 (en) 2017-10-26 2017-10-26 Techniques for onboarding devices based on multifactor authentication

Publications (2)

Publication Number Publication Date
US20190132308A1 US20190132308A1 (en) 2019-05-02
US10826889B2 true US10826889B2 (en) 2020-11-03

Family

ID=66243440

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/794,259 Active 2038-12-08 US10826889B2 (en) 2017-10-26 2017-10-26 Techniques for onboarding devices based on multifactor authentication

Country Status (1)

Country Link
US (1) US10826889B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11887172B2 (en) 2021-01-29 2024-01-30 Walmart Apollo, Llc Methods and apparatus for electronic detection of fraudulent transactions using machine learning processes

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10868812B2 (en) * 2017-12-29 2020-12-15 ANI Technologies Private Limited Method and system for device authentication
US11106441B2 (en) 2018-09-14 2021-08-31 Microsoft Technology Licensing, Llc Secure device-bound edge workload delivery
US11706255B2 (en) 2019-07-29 2023-07-18 Cable Television Laboratories, Inc. Systems and methods for obtaining permanent MAC addresses
US11706203B2 (en) * 2021-05-14 2023-07-18 Citrix Systems, Inc. Method for secondary authentication
US20230214822A1 (en) * 2022-01-05 2023-07-06 Mastercard International Incorporated Computer-implemented methods and systems for authentic user-merchant association and services
US11652823B1 (en) 2022-12-19 2023-05-16 Uab 360 It Systems and methods for controlling access

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050144437A1 (en) * 1994-12-30 2005-06-30 Ransom Douglas S. System and method for assigning an identity to an intelligent electronic device
US20090031410A1 (en) * 2007-07-23 2009-01-29 Schneider James P Certificate generation for a network appliance
US20090138946A1 (en) * 2007-11-27 2009-05-28 Schneider James P Provisioning a network appliance
US20110078775A1 (en) * 2009-09-30 2011-03-31 Nokia Corporation Method and apparatus for providing credibility information over an ad-hoc network
US20130067110A1 (en) * 2011-09-13 2013-03-14 Cable Television Laboratories, Inc. Deterministic mapping
US20130297242A1 (en) * 2012-05-04 2013-11-07 Siemens Industry, Inc. Methods and systems for measurement and verification weighting with temperature distribution
US20130318343A1 (en) * 2012-05-22 2013-11-28 Cisco Technology, Inc. System and method for enabling unconfigured devices to join an autonomic network in a secure manner
US20140215580A1 (en) * 2013-01-25 2014-07-31 Cisco Technology, Inc. Autonomic network protection based on neighbor discovery
US20140250496A1 (en) * 2005-11-30 2014-09-04 Qurio Holdings, Inc. Methods, systems, and products for measuring trust scores of devices
US20160285858A1 (en) * 2015-03-27 2016-09-29 Hong Li Technologies for authentication and single-sign-on using device security assertions
US20170026859A1 (en) * 2015-07-23 2017-01-26 Qualcomm Incorporated Profiling Rogue Access Points
US20170150308A1 (en) * 2014-07-29 2017-05-25 GeoFrenzy, Inc. Systems and methods for defining and implementing rules for three dimensional geofences
US20180077169A1 (en) * 2016-09-14 2018-03-15 Rapid Focus Security, Llc Reflective Network Device Position Identification

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050144437A1 (en) * 1994-12-30 2005-06-30 Ransom Douglas S. System and method for assigning an identity to an intelligent electronic device
US20140250496A1 (en) * 2005-11-30 2014-09-04 Qurio Holdings, Inc. Methods, systems, and products for measuring trust scores of devices
US20090031410A1 (en) * 2007-07-23 2009-01-29 Schneider James P Certificate generation for a network appliance
US20090138946A1 (en) * 2007-11-27 2009-05-28 Schneider James P Provisioning a network appliance
US20110078775A1 (en) * 2009-09-30 2011-03-31 Nokia Corporation Method and apparatus for providing credibility information over an ad-hoc network
US20130067110A1 (en) * 2011-09-13 2013-03-14 Cable Television Laboratories, Inc. Deterministic mapping
US20130297242A1 (en) * 2012-05-04 2013-11-07 Siemens Industry, Inc. Methods and systems for measurement and verification weighting with temperature distribution
US20130318343A1 (en) * 2012-05-22 2013-11-28 Cisco Technology, Inc. System and method for enabling unconfigured devices to join an autonomic network in a secure manner
US20140215580A1 (en) * 2013-01-25 2014-07-31 Cisco Technology, Inc. Autonomic network protection based on neighbor discovery
US20170150308A1 (en) * 2014-07-29 2017-05-25 GeoFrenzy, Inc. Systems and methods for defining and implementing rules for three dimensional geofences
US20160285858A1 (en) * 2015-03-27 2016-09-29 Hong Li Technologies for authentication and single-sign-on using device security assertions
US20170026859A1 (en) * 2015-07-23 2017-01-26 Qualcomm Incorporated Profiling Rogue Access Points
US20180077169A1 (en) * 2016-09-14 2018-03-15 Rapid Focus Security, Llc Reflective Network Device Position Identification

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Rohitash Kumar Banyal, "Multi-factor Authentication Framework for Cloud Computing," IEEE Computer Society, 2013, pp. 105-110. (Year: 2013). *
Yogendra Shah et al. "Multi-factor Authentication as a Service," IEEE Computer Society, 2015, pp. 144-150. (Year: 2015). *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11887172B2 (en) 2021-01-29 2024-01-30 Walmart Apollo, Llc Methods and apparatus for electronic detection of fraudulent transactions using machine learning processes

Also Published As

Publication number Publication date
US20190132308A1 (en) 2019-05-02

Similar Documents

Publication Publication Date Title
US10826889B2 (en) Techniques for onboarding devices based on multifactor authentication
US10492069B2 (en) Advertising multiple service set identifiers
US11888834B2 (en) Methods and systems for onboarding network equipment
CN108141454B (en) Automatic grouping, authentication and provisioning access points using cloud-based WLAN infrastructure management
US9467441B2 (en) Secure service delegator
US11917399B2 (en) Zero-touch deployment (ZTD) of cellular IoT devices and associated trust model
US11963007B2 (en) Facilitating residential wireless roaming via VPN connectivity over public service provider networks
US20230009167A1 (en) Post-connection client certificate authentication
CN112019503B (en) Method for obtaining equipment identifier, communication entity, communication system and storage medium
US11765164B2 (en) Server-based setup for connecting a device to a local area network
US20230421557A1 (en) Automatic security device network
US20220400118A1 (en) Connecting internet of thing (iot) devices to a wireless network
Nguyen et al. An SDN-based connectivity control system for Wi-Fi devices
US11882447B2 (en) Computer-implemented method and network access server for connecting a network component to a network with an extended network access identifier
US20160344717A1 (en) Communicating between a cluster and a node external to the cluster
JP7437507B2 (en) Performing security negotiations for network configuration
US20230078765A1 (en) Method and system for automated secure device registration and provisioning over cellular or wireless network
US20230336983A1 (en) Establishing a backup connectivity between a sensor and a management system
US20220174473A1 (en) System and Method for Registration During Device Onboarding
US20230164139A1 (en) Automatic discovery of access point controller
CN117135053A (en) Trusted network service construction method and device

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GRAHAM, MICKAEL JAMES;PATIL, SANTOSH RAMRAO;DESAI, CHIRAGKUMAR;AND OTHERS;REEL/FRAME:044056/0968

Effective date: 20171106

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE